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Abstract We study the international standard XACML 3.0 for describing se- 
curity access control policy in a compositional way. Our main contribution is to 
derive a logic that precisely captures the idea behind the standard and to formally 
define the semantics of the policy combining algorithms of XACML. To guard 
against modelling artefacts we provide an alternative way of characterizing the 
policy combining algorithms and we formally prove the equivalence of these ap- 
proaches. This allows us to pinpoint the shortcoming of previous approaches to 
formalization based either on Belnap logic or on O-algebra. 



1 Introduction 

XACML (extensible Access Control Markup Language) is an approved OASIS Stand- 
ard access control language pi'141. XACML describes both an access control policy 
language and a request/response language. The policy language is used to express ac- 
cess control policies (who can do what when) while the request language expresses 
queries about whether a particular access should be allowed and the response language 
describes answers to those queries. 

In order to manage modularity in access control, XACML constructs poUcies into 
several components, namely PolicySet, Policy and Rule. A PolicySet is a collection of 
other PolicySets or Policies whereas a Policy consists of one or more Rules. A Rule is 
the smallest component of XACML policy and each Rule only either grants or denies 
an access. As an illustration, suppose we have access control policies used within a 
National Health Care System. The system is composed of several access control policies 
of local hospitals. Each local hospital has its own policies such as patient policy, doctor 
policy, administration policy, etc. Each policy contains one or more particular rules, 
for example, in patient policy there is a rule that only the designated patient can read 
his or her record. In this illustration, both the National Health Care System and local 
hospital policies are PolicySets. However the patient policy is a Policy and one of its 
rules is the patient record policy. Every policy is only applicable to a certain target 
and a policy is applicable when a request matches to its target, otherwise, it is not 



OASIS (Organization for the Advancement of Structured Information Standard) is a non-for- 
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applicable. The evaluation of composing policies is based on a combining algorithm - 
the procedure for combining decisions from multiple policies. There are four standard 
combining algorithms in XACML i.e., (i) permit-overrides, (ii) deny-overrides, (iii) 
first-applicable and (iv) only-one-applicable. 

The syntax of XACML is based on XML format 121, while its standard semantics 
is described normatively using natural language in [14]. Using English paragraphs in 
standardization leads to misinterpretation and ambiguity. In order to avoid this draw- 
back, we define an abstract syntax of XACML 3.0 and a formal XACML components 
evaluation based on XACML 3.0 specification in Section|2] Furthermore, the evaluation 
of the XACML combining algorithms is explained in Section [3] 

Recently there are some approaches to formalizing the semantics of XACML. In JS), 
Halpern and Weissman show XACML formalization using First Order Logic (FOL). 
However, their formalization does not capture whole XACML specification. It is too 
expensive to express XACML combining algorithms in FOL. Kolovski et al. in fllOll II 
maps a large fragment of XACML to Description Logic (DL) - a subset of FOL - 
but they leave out the formalization of only-one-applicable combining algorithm. An- 
other approach is to represent XACML policies in term of Answer Set Programming 
(ASP). Although Ahn et al. in fj| show a complete XACML formalization in ASP, their 
formalization is based on XACML 2.0, which is out-of-date nowadays. More particu- 
lar, the combining algorithms evaluation in XACML 2.0 is simpler than XACML 3.0. 
Our XACML 3.0 formalization is closer to multi-valued logic approach such as Belnap 
logic H and 2?-algebra [13|. Bruns et al. in | 5 61 and Ni et al. in [131 define a logic for 
XACML using Belnap logic and P-algebra, respectively. In some cases, both methods 
show different results from the XACML standard specification. We discuss the short- 
coming of formalization based either on Belnap logic or on 2?-algebra in Section|4]and 
we conclude in Section|5] 

2 XACML Components 

XACML syntax is described verbosely in XML format. For our analysis purpose, we do 
abstracting XACML components. From the abstraction, we show how XACML eval- 
uates policies. We give an example how XACML policies can be described in our ab- 
straction and the components evaluation at the end of this section. 

2.1 Abstracting XACML Components 

There are three main policy components in XACML, namely PolicySet, Policy 
and Rule. PolicySet is the root of all XACML policies. A PolicySet is com- 
posed of a sequence of other PolicySet or Policy components along with a policy 
combining algorithm ID and a Target. A Policy is composed of a sequence of 
Rule, a Target and a rule combining algorithm ID. A Rule is a single entity that 
defines the individual rule in the policy. Each Rule has a particular effect to an access 
request, i.e., either or permit the access. Each Rule is composed of a Target and 
a Condition. A Target is an XACML component that indicates under which cat- 
egories an XACML policy is applicable. A Target consists of conjunction of AnyOf 
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component with each AnyOf consists of disjunction of AllOf components and each 
AllOf consists of conjunction of Match. Each Match contains only one particular 
category to be matched with the request. Typical categories of XACML attributes are 
subject category (e.g. human user, workstation, etc) action category (e.g. read, write, de- 
lete, etc), resource category (e.g. database, server, etc) and environment category (e.g. 
SAML, J2SE, CORBA, etc). A Condition is a set of propositional formulae that 
refines the applicability of a Rule. 

A Request contains a set of available informations on desired access request such 
as subject, action, resource and environment categories. A Request also contains ad- 
ditional information about external state, e.g. the current time, the temperature, etc. 

We present in Table [T]a succinct syntax of XACML 3.0 that is faithful to the more 
verbose syntax used in the standard HJ) . 

Table 1. Abstraction of XACML 3.0 Components 





XACML Policy Components 




PolicySet 


:= (Target, (PolicySeti, . . . , PolicySet^.), f 






1 (Target, (Policyi, . . . , Policy^), 61) 


wiiere m > 


Policy 


:= (Target, (Rulei, . . . , Rulem), 6*) 


where m > 1 


Rule 


:= (£)^ecr, Target, Condition) 




Condition 


:= propositional formulae 




Target 


:= Null 






AnyOf 1 A . . . A AnyOf^ 


where m > 1 


AnyOf 


:= AllOf 1 V ... A AllOfm 


where m > 1 


AllOf 


:= Matchi A ... A Match™ 


where m > 1 


Match 


:= <P{a) 






:= subject | action | resource | enviroment 




Q 

e 


:= attribute value 

:=p — od of a|o l a 




Effect 


:=d p 






XACML Request Component 




Request 


■.= {Al,...,Am} 


where m > 1 


A 


:= <?)(q) I external state 





2.2 XACML Evaluation 

The evaluation of XACML components starts from Match evaluation and it is con- 
tinued iteratively until PolicySet evaluation. The Match, AllOf, AnyOf, and 
Target values are either match, not match or indeterminate. The value is indeter- 
minate if there is an error during the evaluation so that the decision cannot be made at 
that moment. The Rule evaluation depends on Target evaluation and Condition 
evaluation. The Condit ion component is a set of propositional formulae which each 
formula is evaluated to either true, false or indeterminate. An empty Condition is 
always evaluated to true. The Rule's value is either applicable, not applicable or inde- 
terminate. An applicable Rule has effect either deny or permit. Finally, the evaluation 
of Policy and PolicySet are based on a combining algorithm of which the re- 
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suit can be either applicable (with its effect either deny or permit), not applicable or 
indeterminate. 

2.2.1 Three-Valued Lattice 

We use three-valued logic to determine XACML evaluation value. We define £3 = 
(^37 <) be three-valued lattice where is the set { T, /, ± } and J- < / < T. Given 
a subset S of V3, we denote the greatest lower bound (gib) and the least upper bound 
(lub) at S (w.r.t. £3) by fl 5* and □ S, respectively. Recall that fl = T and □ = ±. 

We use |.] notation to map XACML elements into their evaluation values. The 
evaluation of XACML components to values in V-i is summarized in Table |2] 

Table 2. Mapping V3 into XACML Evaluation Values 





Match and Target value 


Condition value 


Rule, Policy and PolicySetvalue 


T 


match 


true 


applicable (either deny or permit) 


_L 


not match 


false 


not applicable 


/ 


indeterminate 


indeterminate 


indeterminate 



2.2.2 Match Evaluation 

A Match element M. is an attribute value that the request should fulfill. Given a 
Request component Q, the evaluation of Match element is as follows: 

fT MeQ 

IMI{q)^\l m^q (1) 

[ / there is an error during the evaluation 

2.2.3 Target Evaluation 

Let A4 be a Match, A = Mi A ... A Mm be an AllOf, £ = A V ... V ^„ be an 
AnyOf , 7" = f 1 A . . . f o be a Target and Q be a Request. Then, the evaluations of 
AllOf , AnyOf , and Target are as follows: 

m 

Mi(s)=ni-^''i(2) 

n 

m{Q) = Ul^^m) (3) 

o 

imQ)^\~\i^^m) (4) 

In summary, we can simplify the Target evaluation as follows: 

i'n(s)=nuni-^K2) (5) 

An empty Target - indicated by Null - is always evaluated to T. 
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2.2.4 Condition Evaluation 

We define the conditional evaluation function eval as an arbitrary function to evalu- 
ate Condition to value in V3 given a Request component Q. The evaluation of 
Condition is defined as follows: 

lCj{Q) = eval{C,Q) (6) 

2.2.5 Extended Values 

In order to distinguish an applicable policy to permit an access from applicable policy 
to deny an access, we extend T in V3 value to Tp and Td, respectively. The same 
case also applies to indeterminate value. The extended indeterminate value contains the 
potential effect values which could have occurred if there would not have been an error 
during a evaluation. The possible extended indeterminate values are fT?!: 

- Indeterminate Deny (Id)- an indeterminate from a policy which could have evalu- 
ated to deny but not permit, e.g., a Rule which evaluates to indeterminate and its 
effect is deny. 

- Indeterminate Permit (/p): an indeterminate from a policy which could have eval- 
uated to permit but not deny, e.g., a Rule which evaluates to indeterminate and its 
effect is permit. 

- Indeterminate Deny Permit (/dp): an indeterminate from a policy which could have 
effect either deny or permit. 

We extend the set V3 to Vg = { Tp, Td, /d, /p, Idp, -L } and we use Vq to evaluate 
XACML pohcies. 



2.2.6 Rule Evaluation 

Let TZ — {*, T, C) be a Rule and Q be a Request. Then, the evaluation of Rule is 
determined as follows: 

fT, IT](Q) = T and [CI (Q) = T 
m{Q)=lL (in(Q) = Tand[Cl(Q) = ±)orlTl(Q) = ± (7) 
[ /* otherwise 

Let F and G be two values in V3. We define a new operator V3 x V3 V3 as 
follows: 

F^gJ^ ''^-^ (8) 
I F otherwise 

We define a function cr:V3x{p,d}— >V6 that maps a value in V3 into a value in 
Vq given a particular Rule's effect as follows: 

^^^-^ (9) 
X* otherwise 
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Proposition 1. Let TZ — T, C) be a Rule and Qbe a Request. Then, the follow- 
ing equation holds 

M(Q) ='^(171(2)-^ ICl(Q),*) (10) 
Proof. The table below shows the proof of Proposition [T] 



iri(Q) 


ICl(Q) 


171(2) -ICl(Q) 


'^(I71(Q)->IC1(Q),*) 




T 


T 


T 


T* 




T 


_L 


± 


_L 


L 


T 


/ 




/, 


h 


_L 


T 


± 


_L 


± 


_L 


_L 




_L 




_L 


/ 


± 


/* 




/ 


T 


/ 


/* 


h 


/ 


_L 


/ 


/* 


h 


/ 


/ 


/ 


/. 


h 



□ 

2.2.7 Policy Evaluation 



The standard evaluation of Policy element taken from 1 14] is as follows: 



Target value 


Rule value 


Policy Value 


match 
match 
match 
not match 
indeterminate 


At least one Rule value is applicable 
All Rule values are not applicable 
At least one Rule value is indeterminate 
Don't care 
Don't care 


Specified by the combining algorithm 

not applicable 
Specified by the combining algorithm 

not applicable 

indeterminate 



LefP = (T,K, 6*) be a Policy where M = (T^i, . . . ,7^„}. Let Qbe a Request 
and R' = ([7?.il(Q), • • • , [[7^„](Q)). The evaluation of Policy is defined as follows: 



/, I71(Q) = / and ©e(R') G { T„ h } 

L lTl(Q) = ±or 

l7l(Q) = TandV7e, :l7e,l(Q) = ± 
0g(R') otherwise 

Note 1. The combining algorithms denoted by is explained in Section|3] 
2.2.8 PolicySet Evaluation 

The evaluation of PolicySet is similar to Policy evaluation. However, the input of 
the combining algorithm is a sequence of either PolicySet or Policy components. 



m{Q) = 



The Logic of XACML 7 



Let VS = {T,F,0) be a PolicySet where P = (T'l, . . . , P„). Let Q be a 
Request andP' = (|lPi](Q), . . . , iVnliQ))- The evaluation of PolicySet is defined 
as follows: 

(h l7l(Q)-/ande,(r)e{T„/,} 

IVSi(0) = \^ I-n(Q) = ±or 

^ ' I l7l(Q) = TandV7'. :M(Q) = ± 

[0g(P') otherwise 

2.3 Example 

The following example simulate briefly how a policy is built using the abstraction. The 
example is motivated by [7_9 1 which presents a health information system for a small 
nursing home in New South Wales, Australia. 

Example 1 (Patient Policy). The general policy in the hospital in particular: 

1 . Patient Record Policy 

- RPl: only designated patient can read his or her patient record except that if 
the patient is less than 18 years old, the patient's guardian is permitted also 
read the patient's record, 

- RP2: patients may only write patient surveys into their own records 

- RP3: both doctors and nurses are permitted to read any patient records, 

2. Medical Record Policy 

- RMl: doctors may only write medical records for their own patients and 

- RM2: may not write any other patient records. 

The XACML policies for this example is shown in Figure [T] The topmost policy in 
this example is the Patient Policy that contains two policies, namely the Patient Record 
Policy and the Medical Record Policy. The access is granted if either one of the Patient 
Record PoUcy or the Medical Record Policy gives a permit access. Thus in this case, 
we use permit-overrides combining algorithm to combine those two policies. In order 
to restrict the access, each policy denies an access if there is a rule denies it. Thus, we 
use deny-overrides combining algorithms to combine the rules. 

Suppose now there is an emergency situation and a doctor D asks permission to 
read patient record P. The Request is as follows: 

{ sub ject {doctor} , action (read) , resource (patient_record) , 
doctor (id, d) , patient (id, p) , patient_record (id, p) } 

Only Target RP3 matches for this request and the effect of RP3 is permit. Thus, 
the final result is doctor D is allowed to read patient record P. Now, suppose that after 
doing some treatment, the doctor wants to update the medical record. A request is sent 

{ sub ject (doctor) , action (write) , resource (medical_record) , 
doctor ( id, d) , patient (id, p) , medical_record (id, p) } 

The Target RMl and the Target RM2 match for this request, however because 
doctor D is not registered as patient P's doctor thus Condition RMl is evaluated to 
false while Condition RM2 is evaluated to true. In consequence. Rule RMl is not 
applicable while Rule RM2 is applicable with effect deny. 
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PS_patient - <Null, <P_patient_recorci, P_medical_record>, p-o> 
P_patient_record = <Null, <RP1, RP2, RP3>, d-o> 
P_medlcal_record = <Null, <RM1, RM2>, d-o> 

RPl = 

< P- 

sub ject (patient) /\ action (read) /\ resource (patient_record} , 
patient (id, X) /\ patient_record (id, Y) /\ 
(X = Y \/ (age(Y) < 18 /\ guardian (X, Y) ) > 

RP2 = 

< P- 

sub ject (patient) /\ action (write) /\ resource (patient_survey) , 
patient (id, X) /\ patient_surveY (id, X)> 

RP3= 

< P, 

(subject (doctor) \/ subject (nurse) ) /\ action (read) /\ resource (patient_record) , 
true> 

RMl = 

< P- 

sub ject (doctor) /\ action (write) /\ resource (medical_record) , 

doctor (id, X) /\ patient (id, Y) /\ medical_record (id, Y) /\ patient_doctor (Y, X) > 

RMl = 

< d, 

sub ject (doctor) /\ action (write) /\ resource (medical_record) , 

doctor (id, X) , patient (id, Y) , medical_record ( id, Y) , not patient_doctor (Y, X) > 



Figure 1. The XACML Policy for Patient Policy 



3 Combining Algorithms 

Currently, there are four basic combining algorithms in XACML, namely (i) permit- 
overrides, (ii) deny-overrides, (iii) first-applicable, and (iv) only-one-applicable. 

The input of a combining algorithm is a sequence of Rule, Policy or PolicySet 
values. In this section we give formalizations of the XACML 3.0 combining algorithms 
based on [14]. To guard against modelling artifacts we provide an alternative way of 
characterizing the policy combining algorithms and we formally prove the equivalence 
of these approaches. 

3.1 Pairwise Policy Values 

In Vq we define the truth values of XACML components by extending T to Tp and Td 
and I to Id, Ip and /dp. This approach shows straightforwardly the status of XACML 
component. However, it is easier if we use numerical encoding when we need to do a 
computation, especially for computing policies compositions. Thus, we encode all the 
values returned by algorithms as pairs of natural numbers. 

In this numerical encoding, the value 1 represents an applicable value (either deny 
or permit), i represents indeterminate value and means there is no applicable value. 
In each tuple, the first element represents the Deny value (Td) and the later represents 
Permit value (Tp). We can say [0, 0] for not applicable (_L) because neither Deny nor 
Permit is applicable, [1, 0] for applicable with deny effect (Td) because only Deny 
value is applicable, [^,0] for 1^ because the Deny part is indeterminate, ^] for /dp 
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because both Deny and Permit have indeterminate values. The conversion applies 
also for Permit. 

A set of pairwise policy values is P = { [0, 0], [^,0], [0, 5], [5, 5], [1, 0], [0, 1] }. 
Let [£), P] be an element in P. We denote d{[D, P]) ^ D and p{[D, P]) ^ P for the 
function that returns the Deny value and Permit value, respectively. 

We define (5 : Vg P as a mapping function that maps Vq into P as follows: 



5{X) 



'[0,0] 


X 


= _L 




X 


= /d 




X 


= ^P 


1 [i i] 

1-2' 2' 


X 


= ^dp 


[1,0] 


X 


= Td 


.[0,1] 


X 


= Tp 



(13) 



We define S over a sequence S as 6{S) = {S{s)\s G S). 

We use pairwise comparison for the order of P. We define an order Cp for P as 
follows [Di,Pi] Cp [D2, P2] iff Di < D2 and Pi < P2 with < ^ < 1. We write 
Pp for the partial ordered set (poset) (P, Cp) illustrated in Figure|2] 



[1,0] =Td [i|] = /dp [0,1] = Tp 




[0,0] =± 

Figure 2. The Partial Ordered Set Pp for Pairwise Policy Values 

Let max : 2^ ^ 9^ be a function that returns the maximum value of a set of rational 
numbers and let min : 2^ — > be a function that returns the minimum value of a set of 
rational numbers. We define Maxcp : 2^ — P as a function that returns the maximum 
pairwise policy value which is defined as follows: 

Maxcp (5) = [max{{ d{X) | X G 5 }), max{{ p{X) \ X e S })] (14) 

and MiriiZp : 2^ — !> P as a function that return the minimum pairwise policy value 
which is defined as follows: 

Mmcp (5) = [mm({ d{X) \ X eS}), min{{ p{X) \ X ^ S })] (15) 
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Tp Td 




± _L _L 

Figure 3. The Lattice £p-o for The Permit-Overrides Combining Algorithm (left), The Lattice 
Cd-o for The Deny-Overrides Combining Algorithm (middle) and The Lattice /lo-i-a for The 
Only-One- Applicable Combining Algorithm (right) 

3.2 Permit-Overrides Combining Algorithm 

The permit-overrides combining algorithm is intended for those cases where a permit 
decision should have priority over a deny decision. This algorithm (taken from lfT4ll ') 
has the following behaviour: 

1. If any decision is Tp then the result is Tp, 

2. otherwise, if any decision is /dp then the result is /dp, 

3. otherwise, if any decision is /p and another decision is /d or Td, then the result is 

4. otherwise, if any decision is /p then the result is /p, 

5. otherwise, if decision is Td then the result is Td, 

6. otherwise, if any decision is /d then the result is /d, 

7. otherwise, the result is _L. 

We call Cp-o = (Ve, Ep-o) for the lattice using the permit-overrides combining 
algorithm where Cp_o is the ordering depicted in Figure [3] The least upper bound 
operator for £p_o is denoted by |Jp-o- 

Definition 1. The permit-overrides combining algorithm ©p'Lo '■^ ^ mapping Junction 
from a sequence o/Vq elements into an element in Vq as the result of composing policies. 
Let S — {si, . . . , Sn) be a sequence of policy values in Vq and S' — { si, . . . , Sn }■ We 
define the permit-overrides combining algorithm under Vg as follows: 

0(5) 5' (16) 

p— o P o 

The permit-overrides combining algorithm can also be expressed under P. The idea 
is that we inspect the maximum value of Deny and Permit in the set of pairwise 
policy values. We conclude that the decision is permit if the Permit is applicable (i.e. 
it has value 1). If the Permit is indeterminate (i.e. it has value i) then the decision 
is /dp if the Deny is either indeterminate (i.e. it has value ^) or applicable (i.e. it has 
value 1). Otherwise we take the maximum value of Deny and Permit from the set of 
pairwise policy values as the result of permit-overrides combining algorithm. 
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Definition 2. The permit-overrides combining algorithm ®p_o is a mapping function 
from a sequence ofP elements into an element in P as the result of composing policies. 
Lets = ( Si, . . . , Sn) be a sequence of pairwise policy values and S' — { Si, . . . , s„ }. 
We define the permit-overrides combining algorithm under P as follows: 

P ([0,1] Max^^iS') = [.,!] 

0(^)=<[i^] Max^p{S') = [D,^],D>^ in) 

P-° [MaxQp{S') otherwise 

Proposition 2. Let S be a sequence of policy values in Ve- Then 

Ve p 

^(0(^)) = 0W^)) 

p— o p— O 

Proof. Let S = (si, . . . , Sn) and 5" = { 5i, . . . , }■ There are six possible outcomes 
for'5(eplo(^))=ep-o(^(^)): 

1- '^(ep-o(^)) = [1: 0] iff el'L^iS) = Td = Up-o S' (by (O). Based on Cp_o 
we get that 3i : Si = Td and \/j : i j, Sj G { Td, Id, -L }■ Thus, by ( fT3] l we 
get that S{s,) = [1,0] and : i ^ J,(5(sj) £ { [1, 0], [i, 0], [0, 0] }. Further- 
more we get that Max^-p ({ 6{si), . . . , (5(s„) } = [1,0]. Hence, by ( [TtI i we get that 

2. '^(e^lJS)) = [0, 1] iff e^lJS) = Tp = Up_o ^' (by mi Based on Cp-o 
we get that 3i : Si = Td- Thus, by ( fT3T l we get that (5(sj) = [0, 1]. Furthermore we 
get Max^p ({ S{s,), 5(s„) } = [., 1]). Hence, by (O we get 0^_^(<5(5)) = 
[0,1]. 

3- ml-oiS)) = ih -2] iff ep-o(5) = /dp = Up-o S' (by m). Based on Cp_o 
there are three cases: 

(a) 3i : Si = /dp and Vj : j i, sj G { /dp, /p, Td, /d, -L }. Hence, by ([TSll we 
get that = [i,i] andVs, : 5{s^) e { [i, i], [0, i], [1, 0], [i, 0], [0, 0] }. 
Furthermore we get Max^p{{ S{si), . . . , (5(s„) } = [D, 1]) where I? > ^. 

Therefore, by dnli we get that = [i, i]. 

(b) 3i,j : Si = /p,Sj G Td and Vfc : /c ^ i, fc 7^ j,Sk e { /p, Td, /d, -L }. 
Hence, by (O we get that 6{si) = [0, i] and d{sj) = [1, 0] and Vfc : ^(sfc) G 
{ [0, i], [1, 0], [i, 0], [0, 0] }. Therefore, we get Max^p{{ S{si), . . . , ,5(s„) } = 

[D, 1]) where £> > 5. Moreover, by O we get that 0p_o((5(5)) = [i, i]. 

(c) 3i,j : = Ip,Sj e Id andVk : k i,k ^ j,Sk G {/p,/d,-L}. Hence, 
by (O we get that S{s,) = [0, i] and <5(sj) = [1,0] and Vfc : 5{sk) G 
{ [0,i],[i,0],[0,0] }. Hence, we get Maxcp ({ 5(si),..., ,5(s„) } = [/?,!]) 
where D > ^. Moreover, by ^ we get that 0p_o((5(5)) = [5, ^]. 

4. '^(e^^J^)) = [i,0] iff e^l„(5) = /d = Up-o^' (by my Based on 
Ep-o we get that 3i : Si = Id and Vj : j ^ i,Sj G {/d,J-}. Hence, by 
we get that (5(s,) = [i,0] and Vj : (5(sj) G { [i,0],[0,0] }. Furthermore 
we get Maa;cp({ S{si), . . . ,(5(s„) } = [^,0]). Therefore, by (fl7] i we get that 

e^o('5(5)r=[i,0]. 
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5- S{®l'_^{S)) = [0,i] iff e^%(^) = /p = Up-o^' (by my Based on 
Cp_o we get that 3i : Si = Ip and Vj : j / i,Sj e {/p,±}. Hence, by 
(HI we get that 6{s,) = [0, i] and Vj : (5(sj) G { [^,0], [0,0] }. Furthermore 
we get Maxcpd 5(si), . . . ,(5(s„) } = [0, ^]). Therefore, by (fiTl i we get that 

6. ml-oiS)) = [0,0] iff epl„(5) = ± = Up-o^' (by my Based on Cp^., 
we get that \/i : Si — ±. Hence, by (flJl l we get that Vi : (5(si) = [0,0]. Further- 
more we get Max^pil <5(si), . . . , 5(s„) } — [0, 0]). Therefore, by ([TtT i we get that 

ep-o('5(^)) = [o,o]. □ 



3.3 Deny-Overrides Combining Algoritlim 

The deny-overrides combining algorithm is intended for those cases where a deny de- 
cision should have priority over a permit decision. This algorithm (taken from l,14J ) has 
the following behaviour: 

1 . If any decision is Td then the result is Td, 

2. otherwise, if any decision is /dp then the result is /dp, 

3. otherwise, if any decision is /d and another decision is Ip or Tp, then the result is 

^dp, 

4. otherwise, if any decision is Id then the result is /d, 

5. otherwise, if decision is Tp then the result is Tp, 

6. otherwise, if any decision is Ip then the result is Ip, 

7. otherwise, the result is _L. 

We call £d-o = {Vgi Ed-o) for the lattice using the deny-overrides combining 
algorithm where Cd_o is the ordering depicted in Figure [3] The least upper bound 
operator for Cd-o is denoted by Ud-o- 

Definition 3. The deny-overrides combining algorithm ®d-o ^ mapping function 
from a sequence o/Vg elements into an element in Vq as the result of composing policies. 
Let S = (si , . . . , Sn) be a sequence of policy values in Vq and S" = { si , . . . , s„ }. VVfe 
define the deny-overrides combining algorithm under Vg as follows: 

Ve 

0(5) 5' (18) 

d— o d— o 

The deny-overrides combining algorithm can also be expressed under P. The idea 
is similar to permit-overrides combining algorithm by symmetry. 

Definition 4. The deny-overrides combining algorithm ® d-o ^ mapping function 
from a sequence ofP elements into an element in P as the result of composing policies. 
Let S = (si, . . . , Sn) be a sequence of policy values in P and S" = { Si, . . . , s„ }. VVfe 
define the deny-overrides combining algorithm under P as follows: 

p f[l,0] Maxcp(5') - [1,-] 

0(^) = <[i^] Maxcp(5') = [i,P],P>i (19) 

d-o yMax^p{S') otherwise 
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Proposition 3. Let S be a sequence of policy values in Vg. Then 



Vg P 



^(0(^)) = 0('^(^)) 



d— o d— o 



The proof of Proposition |3] is similar as the proof of Proposition|2]by symmetry. 
3.4 First-Applicable Combining Algorithm 

The resuh of first-appHcable algorithm is the first Rule, Policy or PolicySet 
element in the sequence whose Target and Condition is applicable. The pseudo- 
code of the first-applicable combining algorithm in XACML 3.0 lfT4l shows that the 
result of this algorithm is the first Rule, Policy or PolicySet that is not "not 
applicable". The idea is that there is a possibility an indeterminate policy could return 
to be an applicable policy. The first-applicable combining algorithm under Vg and P 
are defined below. 

Definition 5 (First-Applicable Combining Algorithm). The first-applicable combin- 
ing algorithm ®f Ijj is a mapping function from a sequence of Vg elements into an 
element in Vq as the result of composing policies. Let S ~ (si, . . . , s„) be a sequence 
of policy values in Vq. We define the first-applicable combining algorithm under Vq as 
follows: 



Definition 6. The first-applicable combining algorithm ©f_jj is a mapping function 
from a sequence ofP elements into an element in P as the result of composing policies. 
Let S = (si, . . . , Sn) be a sequence of policy values in P. We define the first applicable 
combining algorithm under P as follows: 



f-a 



Si 3i : Si ^ J- and \/j<i: sj — _L 
± otherwise 



(20) 




otherwise 



3i : Si ^ [0, 0] and yj<i: Sj = [0, 0] 



(21) 



Proposition 4. Let S be a sequence of policy values in Vg. Then 



Ve P 



'5(0(^))=0(^(^)) 



f-a f-a 



Proof. The equation ( |20] l is the same as the equation (ISTT l when we consider the result 
of equation ( |20l i is mapped into P using 6 function and the input of equation ( l2Tl i as 

d{S). □ 
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3.5 Only-One-Applicable Combining Algorithm 

The result of the only-one-applicable combining algorithm ensures that one and only 
one policy is applicable by virtue of their Target . If no policy applies, then the result is 
not applicable, but if more than one policy is applicable, then the result is indeterminate. 
When exactly one policy is applicable, the result of the combining algorithm is the result 
of evaluating the single applicable policy. 

We call i2o-i-a = {Vq, Co-i-a) for the lattice using the only-one-applicable com- 
bining algorithm where ^o-i-a is the ordering depicted in Figure [3] The least upper 
bound operator for £o-i-a is denoted by |Jo-i-a- 

Definition 7. The only-one-applicable combining algorithm is a mapping 

function from a sequence of Vg elements into an element in Vq as the result of com- 
posing policies. Let S = (si, . . . , s„} be a sequence of policy values in Vg and S' = 
{ Si, . . . , Sn }■ We define only-one-applicable combining algorithm under Vg as follows 



The only-one-applicable combining algorithm also can be expressed under P. The 
idea is that we inspect the maximum value of Deny and Permit returned from the 
given set of pairwise policy values. By inspecting the maximum value for each ele- 
ment, we know exactly the combination of pairwise policy values i.e., if we find that 
both Deny and Permit are not 0, it means that the Deny and the Permit are either 
applicable (i.e. it has value 1) or indeterminate (i.e. it has value ^). Thus, the result of 
this algorithm is I^p (based on the XACML 3.0 Specification |14|). However if only 
one element is not then there is a possibility that many policies have the same ap- 
plicable (or indeterminate) values. If there are at least two policies with the Deny (or 
Permit) are either applicable or indeterminate value, then the result is Id (or /p). 
Otherwise we take the maximum value of Deny and Permit from the given set of 
pairwise policy values as the result of only-one-applicable combining algorithm. 

Definitions. The only-one-applicable combining algorithm ®o-i-a mapping 
function from a sequence of P elements into an element in P as the result of com- 
posing policies. Let S = {si, . . . , Sn) be a sequence of policy values in P and S' = 
{ Si, . . . , s„ }. We define only-one-applicable combining algorithm under P as fallows 




3i, j ■.i^j,s^ = Sj 
Vfc : Sfc ^ Td ^ Sfe 
3i, j : i ^ i,s, = S.J 
Vfc : Sfe ^ Tp ^ Sfe 
otherwise 



Td and 
Tp and 




lo-l-a 



S' 



(22) 




Maa;cp(5') = [D,P],D,P>\ 
Max^^{S') ^[D,()\,D>\ and 
■ i j,d{si),d{sj) > \ 



p 





Maa;cp(S") = [0,F],P > i and 



(23) 



o— 1 — a 



^Maxcp {S') otherwise 
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Proposition 5. Let S be a sequence of policy values in Vg. Then 

Vg P 

Si iS)) = {S{S)) 

o— 1— a o— 1— a 

Proof. Let S = (si, . . . , s^) and 5" — { 5i, . . . , }■ There are six possible outcomes 

foi-^(erii-a(5)) = er-i-a('5(^)): 

1- m^'jLi-.iS)) = [1,0] iff erii_a(^) = Td = Uo-i-a^' (by my Based 
on ^o-i-a we get that 3i : Si = Td and Mj : j ^ Sj — ±. Furthermore, 
by (HI we get that S{s,) = [1,0] and Vj : j ^ i,S{s.i) ^ [0,0]. Therefore, 
Maa;cp({5(si),...,,5(s„)}) = [1, 0]. Thus, by (|23) we get e^_,_ = 
[1,0]. 

2- ^(erii^ - [0, 1] iff erii-a(^) - Tp = Uo-i-a S' (by (El). Based on 
Eo-i-a we get that : s^ — Tp and Vj : j ^ i, Sj = ±. Furthermore, byJlJll we 
get that (5(si) = [0,1] and Vj : (5(sj ) = [0, 0]. Hence, MaiCp ({ (5(si), J(s„) }) = 
[0, 1]. Thus, by m we get e^i-al'^l'^)) = [1, 0]. 

3- m^U-.iS)) = ih l] iff er-i-a(^) = ^dp = Uo-i-a^' (by mi Based 
on Co-i-a there are two possibiHties: 

(a) 3i : Si = /dp. Hence, by ( fT3] l we get that d{si) = [i, |]. Therefore, we get 
Maa;cp({ S{si), . . . , ^(s„) }) = [D, P] where D, P > |. Hence, by ^ we 

geter-i-a('5(5)) = [ii]. 

(b) 3i : Si e { /d, Td } and 3j : e { /p, Tp }. Thus, by (fTsl l we get that 
d{si) = [D, 0] and 5{sj) = [0, P] where D, P > i. Furthermore, we get that 
Maa;cp({(5(si),...,^(s„) }) = [£>, P] where L>,P > i. Hence, by (|23l) we 

4. '5(eo-i-a(^)) - ih 0] iff ®o-i-a(^) - ^d. By m we get that there are two 
possibilities: 

(a) Eli, j : i ^ j,Si ~ Sj = Td and Vfc : Sk ^ Td Sk — ^- Thus, by 
O we get that S{s^) = d{sj) = [1,0] and Vfc : S{sk) = [0,0]. Hence, 
MaxQp{{S{si), . . . ,6{sn)}) = [1, 0] and we get p(si),p(sj) > i. There- 
fore, by (|23j we gete^_i_J<5(5)) = [i,0]. 

(b) ®o-i-e.iS) = Uo-i-a'5' = ^d. Thus, bascd on ^^-i-. we get that 3i : 
s, = Id and Vj : j ^ i, Sj e { Id, Td, -L }. Thus, S{s,) = [i, 0] and Vj : 
6{sj) e { [i,0],[l,0],[0,0] }by([Il.Hence,Maxcp({5(si),...,,5(s„)}) = 
[D, 0] where D > ^. There are two possibilities: 

i. D — 1 iff 3k : Sk = [1, 0]. Thus, we get Si and Sk where d{si), d{sk) > |. 

Therefore, by (|23l) we get ®1_^_^{S{S)) = [i, 0]. 

ii. £> = i. Therefore, by ^ we get ©^-i-al'^l'^)) = [5, 0]. 

5. (^leo-i-al^)) = [0' 5] iff ®r^i-a(^) = -^P- By <|23 we get that there are two 
possibilities: 

(a) .3i,j : i ^ j^Si = Sj = Tp and Vfc : ^ Tp — > = ±. Thus, by 
O we get that 6{s,) = S{sj) = [0,1] and Vfc : S{sk) = [0,0]. Hence, 
Maxcp({ 5(si), . . . ,(5(s„) } = [0, 1]) and we get p(si),p(sj) > i. There- 
fore, by m we get ®^_^_MS)) = [0, i]. 
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(b) ©o-i-a(^) = Uo-i-a^' = ^P- Thus, bascd on Co-i-a we get that 3i : 
= /p and Vj : i ^ j, sj G { Ip, Tp, _L }. Thus, S{si) = [i, 0] and Vj : 
6isj) 6 { [0,i], [0,1], [0,0]} by O. Hence, Maa;cp({(5(si),...,5(s„)} = 
[0, P]) where P > \. There are two possibilities: 

i. P = 1 iff B/c : Sk — [0, 1]. Thus, we get Si and Sk wherep(si),p(sfc) > \. 
Therefore, by ^ we get ®l_^_MS)) = [0, 5]. 

ii. P = i. Therefore, by ^ we get ®l_^_MS)) = [0, 5]- 

6. 6{®1\_^{S)) = [0,0] iff ©rii_a(5) = ^ = Uo-i-a^' (by mr Based 
on we get that Mi : Si ~ ±. Furthermore, by ( fT3] ) we get that Mi : 

5(s,) = [0,0]. Therefore, Maa;cp({(5(si),...,(5(s„) } = [0,0]). Thus, by (|23]l 
wegete^_,_J5(5)) = [0,0]. □ 



4 Related Work 

We will focus the discussion on the formalization of XACML using Belnap logic f?) 
and P-Algebra 1 13] - those two have a similar approach to the pairwise policy val- 
ues approach explained in Section |3] In this section, we show the shortcoming of the 
formalization on Bruns et al. work in f6l and Ni et al. work in |fT3l . 



4.1 XACML Semantics under Belnap Four- Valued Logic 

Belnap in his paper ||4]| defines a four-valued logic over four = { TT , tt, ff , _1_L }. 
There are two orderings in Belnap logic, i.e., the knowledge ordering (<k) and the truth 
ordering (<<) (see Figure|4]i. 




knowledge ordering truth ordering 

Figure 4. Bi-lattice of Belnap Four- Valued Logic 

Bruns et al. in PBel |i5 6] and also Hankin et al. in AspectKB Q use Belnap four- 
valued logic to represent the composition of access control policies. The responses of 
an access control system are tt when the policy is granted or access permitted, ff when 
the policy is not granted or access is denied, when there is no applicable policy 
and TT when conflict arises, i.e., an access is both permitted and denied. Additional 
operators are added as follows |6 |: 

- overwriting operator [y ^ z] with y, z E four. Expression x[y z] yields x if 
X ^ y, and z otherwise. 
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- priority operator a; > j/; it is a syntactic sugar of x[ll. y], 

Bruns et al. defined XACML combining algorithms using Belnap four-valued logic 
as follows |6|: 

- permit-overrides: (p ®^ 9)[TT i-> ff] 

- first-applicable: p> q 

- only-one-applicable: [p ®^ q) ®^ {{p ®^ ^p) ®^ {q ®^ ^q)) 

Bruns et al. suggested that the indeterminate value is treated as TT. However, with 
indeterminate as TT, the permit-overrides combining algorithm is not defined correctly. 
Suppose we have two policies: p and q where p is permit and q is indeterminate. The 
result of the permit-overrides combining algorithm is as follows (p ©-^ g)[TT ff] = 
(tt ®^ TT)[TT ^ S] = TT[TT ^ S] = ff. Based on the XACML 2.0 ED and the 
XACML 3.0 llT4]| . the result of permit-overrides combining algorithm should be permit 
(tt). However, based on Belnap four-valued logic, the result is deny (ff ). 

Bruns et al. tried to define indeterminate value as a conflict by formalizing it as 
TT. However, their formulation of permit-overrides combining algorithm is inconsist- 
ent based on the standard XACML specification. Moreover, they said that sometimes 
indeterminate should be treated as ±_L and sometimes as TT |5|, but there is no ex- 
planation about under which circumstances that indeterminate is treated as TT or as 
±_L. The treatment of indeterminate as TT is too strong because indeterminate does not 
always contains information about deny and permit in the same time. Only /dp contains 
information both deny and permit. However, /d and Ip only contain information only 
about deny and permit, respectively. Even so, the value ±_L for indeterminate is too 
weak because indeterminate is treated as not applicable despite that there is informa- 
tion contained inside indeterminate value. The Belnap four-valued logic has no explicit 
definition of indeterminate. In contrast, the Belnap four-valued has a conflict value (i.e., 
TT). 



4.2 XACML Semantics under X>-Algebra 

Ni et al. in lfT3ll define P-algebra as a decision set together with some operations on it. 

Definition 9 (P-algebra II13D . Let D be a nonempty set of elements, be a constant 
element of D, ^ be a unary operation on elements in V, and , dg)^ be binary op- 
erations on elements in D. A D-algebra is an algebraic structure {D, (g)-^, 0) 
closed on ^, Q)'^ , ®^ and satisfying the following axioms: 

1. x®^ y^y®^ X 

2. {x ®^ y)®^ z = x ©■^ {y ©^ z) 

3. x®'^0 = x 

4. ^-ix — X 

5. a; ©^ -0 = ^0 



6. ^(-.a; ©^ y) ©^ y = -^{^y ©^ x) ^'^ 



X 



7. x(S)^ y 



^0 : X ^ y 
-.x^y 
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In order to write formulae in a compact form, for X, y G 'D,xQ^y = ^{-^x®^ ^y) 
and X y = X 0^ -^y. 

Ni et al. ^13] show that XACML decisions contain three different value, i.e., permit 
({p}), deny ({d}) and not applicable ({f }). Those decision are deterministic decisions. 
The non-deterministic decisions such as 1^, Ip and I^p are denoted by { d, ^ |, | H |^ 
and { d, p, ^ }, respectively. The interpretation of a P-algebra on XACML decisions 
is as follows ||13J : 

- D is represented by 7^(1 p, d, ^ }) 

- is represented by 

- -^x is represented by | p, d, ^ } — x where x E D 

- X ©-^ y is represented hy xUy where x,y E D 

- (g)^ is defined by axiom 7 

There are two values which are not in XACML, i.e., and { p, d }. Simply we say 
for empty policy (or there is no policy) and { p, d } for a conflict. 

The composition function of permit-overrides using 2?-Algebra is as follows: 

fpo{x,y) = {x y) 

e^{{{x ®^ { p }) ©^ (y 0^ { p })) 0^ { d, ^ }) 

©^(-((X 0^^ y) 0^ { I }) ©^ { ^ } Q-D ^((3. 0) 0))) 

The result of combining two policies using the permit-overrides combining al- 
gorithm over 2?- Algebra can be seen in Table [3] 



Table 3. Permit-Overrides Combining Algorithm Result Using ©-Algebra 



fpo{x,y) 





{P} 


{d} 


If} 


{P=f } 


{d,f } 


{P,d} 


{P=d,f } 
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{d} 


It) 


IP^Sl 


{d,f } 
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{P} 
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{P.d} 


m 


{p} 


{P,d,^ } 


{P,d} 


{P,d} 


m 




{P} 


{d} 




|P>d,f } 


{d} 


{P,d} 


{P,d} 


{P,d} 


{P,d} 


{P} 


{P,d} 


{P,d} 


{P,d} 


{P,d} 


{P,d} 


{P,d} 


{P,d,f } 




{P} 


{P.d} 


^P-d,^} 


{P,d} 


{P,d} 


{P,d} 


{P^d} 



The composition function of deny-overrides using I?- Algebra is as follows: 

fdo(x,y) = (x ©^y) 

©^(((x ©^ { d }) ©^ (y 0^ { d })) ©^ { p, s }) 

e'^Hix ©^ y) 0^ { f }) ©^ { t } 0^ ^{{x 0^ 0) ©^ (y 0^ 0))) 

The result of combining two policies using the deny-overrides combining algorithm 
over D- Algebra can be seen in Table E] 
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fpo{x,y) 
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{P,d} 


{P,d} 



The composition function of first-applicable using 2?- Algebra is as follows: 

ffaix, y) = {x 0^ {x ®^ y)) [y 0^ (x 0^ { f })) {x 0^ (y 0^^ { 2 })) 
©^(x 0^ (x 0^ { p })) ©^ (x 0^ (x 0^ { d })) 
©^(x 0^ (x 0^ { p, d })) ©^ {x 0^ {x 0^ { P, d, f })) 
©^({ p } 0^ (x 0^ { p, S }) 0^ (y 0^ { p })) 

©^({ p, d } 0^ (x 0^ { p, ^ }) 0^ (y 0^ { d })) ©^ [y 0^ { d, ^ })) 
©^({ p, d, ^ } 0^ (x 0^ { p, f }) 0^ (y 0^ { d, ^ })) 
©^({ d } 0^ (x 0^ I d, f }) 0^ (y 0^ { d })) 

©^({ p, d } 0^ (x 0^ { d, f }) 0^ {{y 0^ { p }) ©^ [y 0^ { p, ^ }))) 
©^({ p, d, a } ©I' (a; 0^ { d, 1 }) Q^' (y 0^ { p, ^ })) 

The result of combining two policies using the first-applicable combining algorithm 
over P-Algebra can be seen in Table|5] 



Table 5. First- Applicable Combining Algorithm Result Using D-Algebra 
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The composition function of only-one applicable using 2?-Algebra is as follows: 

foo{x, y) = (x 0^ (y 0^ { f })) ©^ {y 0^ (x 0^ { a })) 

The result of combining two policies using the only-one applicable combining algorithm 
over Algebra can be seen in Table |6] 

As we can see in Table [3] Table |4] Table |5] and Table |6] there are some results 
(indicated by red colour) that are different from the results based on the XACML spe- 
cifications II12I14I . In consequent, the combining algorithm functions under 2?-algebra 
are not appropiate for XACML semantics. Their formulations are inconsistent based on 
the XACML 2.0 nZI and XACML 3.0 [.14J. 
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Table 6. Only-One Applicable Combining Algorithm Result Using ©-Algebra 



foo{x,y) 





{P} 


{d} 


I?) 


{P-f I 


{d,f } 


{P,d} 


|P>d,f 1 





























{P} 











{P} 














{d} 











{d} 














\i\ 





{P} 


{d} 


\i\ 


^P-f } 




{P,d} 


{P,d,f } 


{P-S} 











{P-S} 














|d,n 











|d,n 














{P,d} 











{P,d} 














|P.d,^| 











|P-d,f } 















Below we show an example that compares all of the results of permit-overrides 
combining algorithm under the logics discussed in this paper 

Example 2. Given two policies Pi and P2 where Pi is Indeterminate Permit and P2 
is Deny. Let us use the permit-overrides combining algorithm to compose those two 
policies. Table|2]shows the result of combining polices under Belnap logic, 2?-algebra, 
Ve and P. 

Table 7. Result of Permit-Overrides Combining Algorithm for Composing Two Policies Pi and 
P2 where Pi is Indeterminate Permit and P2 is Deny Under Various Logic 
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The result of permit-overrides combining algorithm under Belnap logic is ff and 
under P-algebra is { p, d }. Under Bruns et al. approach using Belnap logic, the access 
is denied while under Ni et al. approach using I?-algebra, a conflict occurs. Both Bruns 
et al. and Ni et al. claim that their approaches fit with XACML 2.0 |12|. Moreover 
I)-algebra claims that it fits with XACML 3.0 1 14|. However based on XACML 2.0 the 
result should be Indeterminate and based on XACML 3.0 the result should be Indeter- 
minate Deny Permit and neither Belnap logic nor I?-algebra fits the specifications. We 
have illustrated that Belnap logic and 2?-algebra in some cases give different result with 
the XACML specification. Conversely, our approaches give consistent result based on 
flie XACML 3.0 LMJ and on the XACML 2.0 lUS. 

5 Conclusion 

We have shown the formalization of XACML 3.0 step by step. We believe that with 
our approach, the user can understand better about how XACML works especially in 
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the behaviour of combining algorithms. We show two approaches to formalizing stand- 
ard XACML combining algorithms, i.e., using Vg and P. To guard against modelling 
artifacts, we formally prove the equivalence of these approaches. 

The pairwise policy values approach is useful in defining new combining algorithms. 
For example, suppose we have a new combining algorithm "all permit", i.e., the result 
of composing policies is permit if all policies give permit values, otherwise it is deny. 
Using pairwise policy values approach the result of composing a set of policies values 
5" is permit ([0,1]) if Mmcp (S) = [0, 1] = Max^^ (S), otherwise, it is deny ([1,0]). 

Ni et al. proposes a 2?-algebra over a set of decisions for XACML combining 
algorithms in ITSl . However, there are some mismatches between their results and the 
XACML specifications. Their formulations are inconsistent based both on the XACML 
2.0 El and on the XACML 3.0 [TT]. 

Both Belnap four-valued logic and P- Algebra have a conflict value. In XACML, the 
conflict will never occur because the combining algorithms do not allow that. Conflict 
value might be a good indication that the policies are not well design. We propose an 
extended P which captures a conflict value in AppendixlAl 
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A Extended Pairwise Policy Values 

We add three values into P, i.e. deny with indeterminate permit ([1, i]), permit with 
indeterminate deny ([i, 1]) and conflict ([1, 1]) and we call the extended pairwise policy 
values Pg = P U { [1, i], [i, 1], [1, 1] }. The extended pairwise policy values shows 
all possible combination of pairwise policy values. The ordering of Pg is illustrated in 
Figure |5] 



[1, 1] = TdTp 




[0,0] =± 

Figure 5. Nine- Valued Lattice 

We can see that Pg forms a lattice (we call this £g) where the top element is [1, 1] 
and the bottom element is [0,0]. The ordering of this lattice is the same as Cp where 
the greatest lower bound and the least upper bound for 5 C Pg are defined as follows: 



P|5 Maa;cp(5) and |J 5 = Mmcp(5) 



